Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silent refresh for implicit flow #43

Closed
marcelnem opened this issue Apr 11, 2018 · 14 comments
Closed

Silent refresh for implicit flow #43

marcelnem opened this issue Apr 11, 2018 · 14 comments
Assignees
@jonkoops
Labels
enhancement This issue/PR is an enhancement or new feature.

Comments

@marcelnem
Copy link

It would be also nice to expand the updateToken() function to also support the implicit flow. Currently it works only with a standard flow. It is recommended to use implicit flow with public clients such as and Angular SPA. Using implicit flow prevents keeping refresh token in a public application.

Silent refresh is usually implemented by the hidden iframe trick as is done in this library (https://manfredsteyer.github.io/angular-oauth2-oidc/angular-oauth2-oidc/docs/additional-documentation/refreshing-a-token-(silent-refresh).html). Auth0 also has an implementation for this and their code is also MIT licensed. (https://auth0.github.io/auth0.js/global.html#renewAuth)
@mauriciovigolo mauriciovigolo added the enhancement This issue/PR is an enhancement or new feature. label Apr 12, 2018
@mauriciovigolo
Copy link
Owner

Excellent @marcelnem!

Let's ship this in the next version as we already talked.

@rightisleft
Copy link

rightisleft commented Jun 5, 2018
edited
Loading

Does this address the symptom where there's what appears as a temporary redirect before the page is authenticated?

Each time my user refreshes an app - they temporarily see the current route change to

.../foo#state=745282f8-0d38-4002-....

mauriciovigolo added a commit that referenced this issue Jun 26, 2018
@mauriciovigolo
fix: implicit flow bug reported on issue #76.
b8aaec1 
- Avoid the token update when the implicit flow is chosen.
- It will perform a silent refresh as planned in issue #43.
@dasniko
Copy link

dasniko commented Mar 29, 2019

Just for your information:
There's currently a PR in the Keycloak project, adding silent refresh for implicit flow to the keycloak.js adapter: keycloak/keycloak#5932

@mauriciovigolo
Copy link
Owner

Great to know @dasniko! Nice job!

@devansvd
Copy link

@mauriciovigolo any updates on this ? Refresh token not works in any kind.

@marcelnem
Copy link
Author

@devansvd @mauriciovigolo The new Best Practice is that the code grant with PKCE should be used instead of implicit grant for Single Page Applications.

see discussion here to learn why:
keycloak/keycloak#5932 (comment)

PKCE support for Keycloak JS adapter should be developed soon. See this PR:
keycloak/keycloak#6047

@adrianschneider94
Copy link

adrianschneider94 commented Sep 2, 2019
edited
Loading

I totally see, that code grant with PKCE is more secure than the implicit flow.
But still one needs to refresh the access token.
And keeping the refresh token client side in the browser is still not secure (-> Browser Extensions!) as there is no support of token binding yet.

So I think the most secure solution at the moment would be Code grant with PKCE and token renewal with iframe silent refresh.

-> I think silent refresh is still needed.

@jonkoops jonkoops mentioned this issue Feb 21, 2020
Closed
@jonkoops jonkoops self-assigned this Feb 21, 2020
@jonkoops
Copy link
Collaborator

I'm going to go ahead an see if we can get this implemented now considering keycloak-js should have this functionality. It's still unclear to me how this should be implemented so I am going to do some research, if anyone has some insights feel free to share them.

@jonkoops
Copy link
Collaborator

jonkoops commented Feb 21, 2020
edited
Loading

Looks like the required method checkSsoSilently (see here) is not exported from Keycloak JS. Meaning we will have to implement it here or make a PR to export this method.

@dasniko
Copy link

dasniko commented Feb 23, 2020

keycloak-js doesn't have the option to refresh tokens silently when having implict flow. The checkSsoSilently option is just for checking the SSO state initially when accessing the site through an iframe and avoiding a useless redirect of the whole page.

@jonkoops
Copy link
Collaborator

Exactly, it would have to be implemented there first in order for this to work. Although I believe if I am not mistaken that checkSsoSilently could be executed again (if exposed) after the token expires in order to 'refresh' the session.

@RozennK RozennK mentioned this issue Feb 27, 2020
Closed
@noctho noctho mentioned this issue Jun 10, 2020
Closed
@HuiiBuh
Copy link

HuiiBuh commented Jul 13, 2020

There is a onTokenExpired hook you can use to refresh tokens if you want to.

image

@devansvd
Copy link

devansvd commented Jul 13, 2020
edited
Loading

@marcelnem @mauriciovigolo totally agree. code with pkce is the recommended approach now a days. https://devansvd.com/oauth/#authorization-code-grant-with-pkce

@jonkoops
Copy link
Collaborator

Closing this as the code grant flow is now the recommended standard and these changes will need to be made in keycloak-js and not Keycloak Angular.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonkoops jonkoops

Labels
enhancement This issue/PR is an enhancement or new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@mauriciovigolo @jonkoops @dasniko @rightisleft @marcelnem @devansvd @adrianschneider94 @HuiiBuh